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[57] ABSTRACT 

A resource manager in a client/server computer network 
controls the availability of system resources. A system 
administrator generates a set of profiles which specify which 
system resources each user may employ for each of multiple 
application programs. Individual application programs may 
internally configure their possible choices of such system 
resources according to the appropriate profile on a dynamic 
basis. 
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HBSHSSSESES? K^*r*-~ m '~ m1 -* 

APPLICATON-PROGRAM CONTROL can be shared by some or all of the other computers in the 

MtANb l HUCErOR 5 network. Ooe or more server processors, for example, are 

i bum of H,. w-H-. scheduled among the tasks of different users. Memory pools 

I. tueid of the Invent™ of vitioas ihci ue allocated to tasks beina executed and 

-> u.mJL.,.^ «f ,k r ^ similarly concerted as separate file servers. Other caDabfli- 

iS^SSLH^Tf - ties an: also considered to be system resourcesJFoTeXt 

rJn£l?J, ? . ^ °' C °, rapUter s y stenLS - 10 8 applications generally have both an interactive and 
n^ara computer system, a single central processor a batch mode for prScessin^ [queried fromTctol The 

S dVo^ U ^ a lTs rabng ^ CXeCUto appU - " '^^vc-mode resource uses large arJL of proceww 

compters each running similar operating system programs, sees the server as a virtual part of h* wn wtoX 

ZSZ^Z^T? Pr TTJ?, nd ^ each example, the client portion rfTiSbS ScaC^g 

hfvc ^ g s l™lr °! Cn ! /saVer the same in each dien, computer or worksEfa^sty 

tons ^ 7, ^ZE?V2!P ^ ^ " C0mmunica - 23 usa t» *c processor-intensive intensive mol 

SSEL ClieDtS Md "f ,0ad <UU frora *»« » While system resourSsTpear to be at the total disposal 

ZL of^ w^, ^ °^ W ? t ° 4 St0re ^ nMW0 * 40(1 ««« «« applications being executed by aU 

. Most present client/server networks implement an « ^SKSr^Zjf 1 ^ 

OT oS 0 ^n T*£ Whkb 5 ° me 01 311 *> * mainframe ty£ SlS&vca- 

Sr^uZnE. U,, ° tWO POm ° ,,S J A SaVCr pottim U '° nal cectral-r^cessoT-based^ratin™^ sS^Se 

S ^ 0,C ,K ,VCr l°T ter ' While " Sep4rate ^ Place restriction SSr^en at 

chooL^!i»fT. ^ k ?J?«" cUcDt cotu, ' ulcr can *» level or specified by an Initialization affile 
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»™*> D ggK2S PREFERRED 

in allowing or denying particular system resources to par- EMBODIMENTS 

ticular users for particular application programs or in FIO> 1 sbow$ a network 100 of computers 110-140 

response to certain factors such as the 6ize of a query. 5 configured in a client/server configuration. 

Dynamic control of such resources is also precluded. Server computer 110 may be any type of system, from a 

SUMMARY OP THE INVENTION relatively small personal computer (PC) to a large main- 

n4K ^ . . , a frame. In the particular implementation discussed below 

aJurtT^L^ 2? P™^ 1 * * ^ u WSCslMarcphyricaUy.typeofVOdcviocwhiAmtenct 
P whcD ncw ***** *e with multiple terminals over communication facilities ISO 
added at Ac system or netwo* level. A number of conventional facilities, such as APPC 
Moreover, resource restrictions can be imposed io a way (Advanced Program-to-Program Communications) routers 
which is transparent to the user, rather than merely by and LU&2 (Logical Unit version 62) are available to handle 
returning an ugly error message if the user attempts to the necessary communications protocols 
engage the forbidden resource. Additional devices, represented by block 120. may also be 
... JS. ° B n ^ uev f mese w" 1 advantages coupled to facilities ISO for interaction with the client 
through the cooperation of a different profile for each user, terminals and with server 110. As mentioned previously 
and a control facility in each application program which can block 120 may represent one or more complete computer 
read the current user's profile border to manage a specified u systems functioning as multiple servers in networiclOO 
set of system resources. The response of the application to Communications 150 may assume any of a number of 
a particular profile might range from denying that user the conventional forms, such as cables 151-152, switched tele- 
ability to run that particular program at all. down to denying phone lines, wireless devices, and many others. 

" sc , °f red-time queries or mandating the use of a Client terminals 130, 140 are commonly personal com- 

S SSST ^T^" 1 appU - *> " Uters cou P>"» •» Acuities 150 by cabfclSl to form 

cation. Restrictions can be enforced by changing the pro- a local area network (LAN) with server 110. Other 

S! °p" » a ^ cm ° f *« user', arrangements, however, may also be employed in any con 

profile. For example, forbidden choices may simply no ventional manner. A typical PC 130 contains a processor 

^uST'? a t ^ a,US " " SCT " lDterfaCC coastn>as U1 - ™ mo <y U2 . VO devices 133. and a port 133 coupled 

P ' 0gram , ,tsdf - * be IUbjcCted to » lo cable 151. An internal bus 135 interconnects these cL- 

revenflcatioii. That is. toe application program, which actu- poncnts with a display 13« for presenting data to a user and 

aUyewrtsasoiu^yasmglccwgm^appearsasthoughithad a keyboard, mouse, and/or olher input devices 137 for 

been customized to each Individual user-*nd this custom!- receiving data ami commands from thVuser 

ration is dynamically variable by a system administrator or PIG. 2 shows client/server network 100 from .h, -w m ,, 

application programs is mediated by parts of the c/s control FIG. 1. Brackets at the left ?k7^„ . 

ttJ*££!isr TJT* dien,: *! " Drtl ™ ^ :«^^££2Z 

af. ^SK o^,fi CC S^t Pt0SrUa ^ S0 " ,ioM «*>. <™ <* > cHenl terminals LIOA 

.c™?„,7 fh f- ,f plication program in and password over facilities 150 to server 110 (Again in 

fta terminal, the apphcation program Jtsdf governs which J0 some networks 100.. user may be able tosignon tofnTone 
V^^^t^^, ^ ind ^ ndcn °y of «>f ™*Jpte servers'll0. 1 20.) / 11,e nss~X o ttS 
Sen^meTe^r 8 ° B *' temfaal »*B rig- off from his session. 

Conventional operating system 210, an IBM OS/400 in 
UK1HF UHSCRIFnON OF THE DRAWING lhi$ example, manages the physical facilities of server 110, 

FIG. 1 shows a typical client/server computer network 55 ** d conUu,li ^ execution of tasks such as 220-230 running 
which forms the env.ro/inicut of the present invention 00 010 Scrvcr * 03 s Y mbo ^^ *>y arrows 211, 212. Functional 

FIG. 2 is a schematic overview of the client/server net- !^ ul ?,if? rf thc 0Dcralm B system employ a number of 
work of FIG. 1, incorporating the Invention lcs 214 for a Dumber of conventional purposes such as 

FIG. 3 is a flowchart showing thc operation of the M Z^iJ^fS^t aa * securitv * 

invention within the system of FIG. 2. 60 %T? lt% cn * ioy * a number of s y stcm uw P™*" 

FIG. 4 details representaUve profiles of FIG. 2 III* Th^f l°* U, ' U | N ' * c 

xnn < u . .. . access rights of each user to system obieou (data and 

Jl^l^ 8 »^^W«iittolIed interface of program commandsX ^UDg^tctwcm^ ^t^ 

an application program according to the invention. and library lists. w mat user, 

FIG. 6 is a flowchart detailing the control of an 65 Of the many applications which can be executed, datah^ 

S^ D - pr0firam iQlcrfftcc of ^ 5 «o 220 is a typical Kant example, 2 ^3!" t 

applications are lumped together as blocks 230. Code mod- 



invention. 
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a requested quay. That is, the nature of prcscol c/s networks DETAILED DESrunmnN rw» prpprddp^ 

make .t difficult to achieve a sufficient granularity of control BAILED D «O«PTlW0F PREFERRED 

in allowing or denying particular system resources to par- EMBODIMENTS 

Ucular users for particular application programs or In F1 °- 1 SD0W$ a network 10© of computers 110-140 

response to certain factors such as the size of a query 3 confi 8 ured in a client/server configuration. 

Dynamic control of such resources is also precluded. Server computer 110 may be any type of system, from a 

SUMMARY OPTHB INVENTION relatively small personal computer (PC) to a large main- 

. The present invention provides enhanced and more pre- ferv^ Sot ^ emenu,,ton ^ow, 

cise control over the use of system resources by users Vnd S computer, specifically an IBM 

applications in a c/s network of ^mp^Tris c£L?Z '° m^J^^^TTS^^^'n^' 
inexpensive to implement, and does not interfere vviuW Vferv i^L^T™^* trademarks of IBM Corp.) 

added at me system or networtlevd T multiple terminals over communication facilities ISO. 

.c sysicm or nerwoTK level. A number of conventional facilities such as APPP 

returning an ugly error message if the user attempts to _ the necessary communications protocols 

engage me forbidden resource. . AA -^ ... r 

t-vT, «„„._.. . , ' Additional devices, represented by block 120. mav also be 

«h,™* *^S!f T ^ and othcr Vantages coupled to facilities 150 for todon K to 
taough the cooperation of a diiferent profile for each user. terminals and with server 110. ^^0^^^ 

^ M ™ ^ 120 °- or^rfSmpSj^SS 

read the current user s profile in order to manage a specified a systems functioning ss multiple servers to nerworkl0l> 

f J**! temre B ^ Communications 150 may .^rnTTy 5 fSber 

a parucular profile might range from denying that user the conventional forms. such as cab™**" 152 swOchcdtele 
n ^^^, a, f ha,, ^ CUlarpr I' 8ranl4, ^ todenying phone lines, wireless devices, and Zy o^'ers 

5£ 'Z^ZcTl'Z? "T ™™ " *" USer ' 5 howeva, ^ 0^1^ "ly ct 

profile. For example, forbidden choices may simply no ventional manner. A typical PC 130 conSnV Tr^L^r 
longer appear on menus or other user-Interface constructs 131, memory 132 VoSaivl^T^ f°« 

? . " f * e appllcaaoD Pfogram, which actu- poacals with a display 136 for wescntimr d^Vn^utr^ 

appUcationprograrnsis^^ 40 Br.*c£^ 

program located in the server and I each dienf this T is ft,£rt«» • ^.' Cft Mde ,ndlca ' e 0,(5 

simple to do. because bow pieces rfVSW-^oS SSSXS^JT 1 $ 7E ^ U0> . c T nUQlC8 - 
together as a single package. Profiles are eaienterf «m i ,SLr°' <u "' onc of 01,5 CUCDt ««minals 130. A 

storcdrntheserveTby^sysfemSs^JS^ . ^t^^'iT^^ the labels Ul-UN, 
signs onto the network from his cUent3n«Mh1 server ** ^^^f ° nca * ^«w»l*li 130-HO.Aay of the 
downloads that user's profile to I loS , V ° P ?? e My tmntoal: of a par- 

interacts with bdM^S^^^^S uTu^^ * 9Mu ^ * "^'n* When 
When a user executes particular LS nroZt ' 8 ° S ? ^ 130 * "»*■« lo 8°» 

that terminal, toe appUcJoa prograi^Uetf governfw^lct lf,S °Z ***** 10 m 114 Jn 
system resources arVavailable to ^scr ina^r!& n Uv rf 50 ? I00 '?" serma y b "»>le«'>dgnonto»ny one 

the operating systems or oA« Z^L rSfon thl f 'T™ ll °- 1M) ^ as30ciation * «*cr and 

cUent or on Oie server. P ^ nU " U " g °° We tOTnJoal P*"""* user signs off from his session. 

URllil' DESCRIPTION OF THE DRAWING O^^ltS^^i^ 

FIG. I shows a typical client/server computer network 55 ""^"M 5 we ««ulion of tasks such as 220-230 running' 

which forms the environment of the prcscul invenUou. 0D 0x6 88 , y n *<>'»"<« by arrows 211, 212. Functional 

PIO. 2 is a schematic overview of the clicnt/servec net- ! U 2 ,ul ^ s 1 5 1 ? rf Ae °P er ' ,u 8 «ys«em employ a number of 

work of FIG. 1, Incorporating the Invention ** 2,4 for 8 number of eonventional purposes such as 

PIG. 3 is a flowchart showing the operation of the m -S/nJjf^ 8 " 00 ', ^ prioriUcs ' Md Jecuri «y. For 

invention within the system of FIG. 2. 0i '* 00 em P'°y» » number of system user profiles 

TO. 4 details representative profiles of FIG 2 t0 ^ f w " ch M$ « Ul-UN, including the 

PTG. 5 shows a resource-manVger-controUedinierfacc of ^ m "^! ^fl "f" 10 Sy / tem 0b ^ J ^ 

an applicaUon program tccortn? to Z ££lT * ^^^^^eforraess.gestomatuser. 

apS^rogrl 0 "^ « ^Wr*-^-- 

invention accoraing 10 mc 220 is a typical important example. In HO. 2, all other 

application! are lumped together as blocks 230. Code mod- 
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municaied between servcrllO and »X n , JS? ,„ "V** resources. The admiSaratar then 

*«e modules tap leJnent «»^S^StSSf , & t^T^T^^^^^X 

«quw for identifyiag which of the cUeoU TaSd J^t !^h k ° d < H SCUSsed Wow > "«tf»g «y*«em«sou?ce?bJ 

reverse directioa M d which user is ag,,* £ at iwefff ff Si"* " a sccure *™ wlthia 

program, query manager 291 receives aucriw 2m£mZI? ' t0 P" 5 *™* alteration within (he terminal 

from server 110 to terminal 130 upon a wJZl ■ • "FpUcaUon program complin with thVw^ 
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represent an application that it is noU or to claim resources 
that it is oot entitled to. Preferably, the application identity 
is encrypted before transmission, to prevent a network 
eavesdropper from intercepting the true identity and modi- 
fying or misusing it. If the authentication is proper, block 
310 transmits a positive response to block 311 in the server. 
Appropriate encryption and authentication methods are con- 
ventional in the art If execution is not allowed, block 311 
returns control to block 307 for selection of another appli- 
cation. (Alternatively, it would be possible to have block 307 
employ the specific user profile stored by block 306 to 
merely eliminate or dim menu choices for the non-allowed 
applications, so that the user could not choose them in the 
first place.) That is, the ability to run a given application at 
all can be treated as a system resource for the present 
purpose. 

Block 312 actually enforces the resource restrictions 
imposed by the profile stored at 306 for the particular user 
for the particular application program, represented by block 
313. Application 313 may be any one of a number of 
conventional programs, such as database programs, 
spreadsheets, word processors, and so forth. The application 
may run entirely in the client or, more commonly, may be 
a network version which also includes a portion such as 317 
concurrently executing in the server. When the application 
program requests system resources, block 314 sends a 
message to the appropriate block 317 for processing the 
request. Block 317 may be physically implemented as a 
conventional device driver, a portion of the operating system 
213, In the server portion of a networked application, or in 
other conventional ways. As mentioned previously, the 
profile may also specify the manner of processing a request 
For example, subblock 318 may queue a batch-mode data- 
base query for later processing, or subblock 319 may route 
the request to a different device, such as a low-speed printer. 
La addition, server operating systems 213 frequently contain 
conventional facilities for balancing workloads in different 
subsystems of the network; block 314 could furnish priority 
information for the current user and application obtained 
from stored profiles at block 306. Line 320 returns data or 
any acknowledgements to the application executing in block 
312 of the client. 

Returning to block 312, there are various ways to couple 
a profile to an application program so as to control which 
system resources a particular user may obtain from that 
application. For example, a crude method would be to place 
a sentry block (not shown) in line 316 so as to block 
unauthorized requests from ever reaching block 317. While 
such an approach would work, it would create user confu- 
sion and frustration by presenting apparently valid choices 
In the application program which would return error mes- 
sages when selected, or which might even falsely appear to 
the user as system malfunctions. 

Many modem application programs 313 employ external 
initialization (.INI) Ales, associated either with the specific 
application or with the operating system 283, which contain 
specifications for executing the application, and/or which 
specify choices within the application or choices presented 
to the user. For example, installing a new printer under the 
Microsoft Windows operating system modifies a WIN- 
DOWS.INI Ale to include a reference to the printer, so that 
a separate word-processing program running under Win- 
dows can access that file for a list of currently installed 
printers, and present that list — now including the new 
printer — to a user when he requests a PRINT operation for 
a document within the word processor. Block 312 could thus 
itself edit such an initialization file dynamically — that is. 
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whenever a particular user selects an application at block 
307 — so as to change the application's own menu choices, 
the list of facilities which it presents to the user. Another 
method is to establish a special formal application program 

5 interface, (commonly known as "APT) a documented call 
which allows one program to access a certain function of 
another program. 

FIG. 4 represents a set 400 of profiles such as 252-253 in 
FIG. 2, which are employed in the procedure 300 described 

"> in FIG. 3. In the IBM AS/400, the OS/400 operating system 
includes an integrated relational database which uses the 
well-known SQL (structured query language) interface. A 
set of profiles may constitute an ordinary table in this 
database. Each row 410-470 of database table 400 lists a 

I* user or predefined group of users 401, the name 402 of a 
particular application program, a resource 403 potentially 
used by that program, a value 404 showing a status of that 
resource for that particular user when executing that par- 
ticular application, and a change sums 405 for the value 

20 404. 

Column 401 in each row profile contains a representation 
of a sign-on identification, either a user-id for one user or a 
group name which can be specified in a conventional 
AS/400 system profile (not shown) of that user. One person 

25 may of course have multiple sign-ons or user identifications! 
and may be a member of multiple groups, and thus may have 
different resource privileges for different purposes, even 
within the same application program. The set of rows which 
name one particular user, either specifically or by a group of 

*° which he is a member, forms a profile such as 252 and 253 
in FIG. 2 for that user. 

Column 402 lists the names of various application pro* 
grams which are subject to resource manager 251, FIG. 

3J 2 — that is, those which block 307, FIG. 3 recognizes as 
being "compliant" If an application is compliant, but is not 
listed in any row of table 400 for a particular user or group, 
then that user or group cannot execute the application 
program. (For implementation-specific reasons, block 311, 

4Q FIG. 3, actually checks a physically separate table which 
duplicates the information in columns 401 and 402.) 

An entry in column 403 specifics one of the system 
resources potentially available to the application program 
specified in column 402 of the same row. These resources 

45 may include such functions as the previously mentioned 
interactive-query mode of any database program, 
distributed-data environment (DDE is a conventional 
method for sharing data) support, and printing on the system 
printers. 

50 Column 404 specifies an initial access value for the 
resource of column 403; e.g., a "NO" in column 404 of row 
410 indicates that a user In the FINANCE group is blocked 
from using the interactive mode when the spreadsheet 
application program Is Invoked at block 313, FIG. 3. That is, 

55 he can use only the batch mode for queries. Normally, users 
would not be permitted lo change their own authorizations 
for a resource; however, it is sometimes useful to provide 
this capability. A "YES H entry in column 405 of the same 
row means that a user in this group may, daring execution 

60 of this program, later change his authorization so as to use 
the interactive mode. 

The use of profiles in the present system allows a great 
deal of flexibility. Resources may be grouped, such as 
"system printers". Some resources may be permitted only 

65 under certain linutations. For example, some database pro- 
grams return a "cost" number denoting the estimated amount 
of processor time required fur a particular query; an entry 
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audi as "SMALL" in row 430 indicates that interactive modify the set 510 of menu objects for the specific appli- 

queries are allowed to this user In this application when the cation program 500 in accordance with the profile for the 

estimated cost is below a predetermined threshold. This particular user who is currently executing that program, 

situation is quite common for many applications, as wfll be Block 312 enters routine 600 at line 601. Block 602 gets 
explained in connection with FIG. 5. Many combinations of s successive rows of the profile 252 for the current user. When 

resources can be specified, and varied needs can be accora- there are no more rows, routine 600 exits at 603. 

^ett^TnSV^^n™ fl < ? tOpe ? 0nn B6CSU * P roft,e »2 conUios rows for all application 

^ modeJS to hours-while in. a pay** ,o £^17^^^^^ 

applicant, program because running an entire payroll m reads m to ' detemiB0 which fesource ^ ^ing 

requires so much of the server s toe that it should only be specmc4 Block 606 finds a me., object in UWSlOwhfch 

^n ^^ U t AS 8n0ther eX r Plt °5 to that resource. BloTk 6OT a^ern^eslom 

A^^T^^ ffm ^ r T^ M ^T d columns 4M and 405 what action is necessary to njfy the 

duTerentty depending upon where they are called from « objecL Blocks 60JM.11 indicate some ofme acZsthat 

S^nte r^T, T" 5 ;* 6 *** D TT" could «* I**—* Block 608 removes a choice from a 
ment group in FIG. 4 has the use of system pnntefj but a selectioiI ^ ladi o-bM 0a set. or similar construct, either 

iStSS ; mBd ? T*** «-«y « by « out on the construct Biock 609 can 

ckhcc omy irom a menu wnicn appears at the cud or a adda ^ce whid> 

was not already on a selection list Block 

verification routine within the application program. 20 610 m objcct xtogtthtt, so that no choice is 

The use of an existing system database to store the profiles available to the user. Block 611 sets a value, value range, or 

as ordinary tables allows any existing data-entry program to similar limitation into a list, dialog box, etc. After the proper 

serve as the profile generator 254 of FIG. 2. In systems operation, control returns to block 606 to find other menu 

where no such facility already exists, the invention may objects. If there are no more, control returns to block 602. 

employ ^any conventional database program or ad hoc facii- 25 nGS 3 aDd 6 show ^ of MU objccCs 

J™ T PUIP0SC * 5U - 519 as ocourine before execution at block 313. FIG. 3 
FIG. 5 is a high-level block diagram of the client module additionally shows the user's profile being downloaded at 
of a typical application program 500, such as a query the time the user signs on to a session at the client terminal, 
manager 290, FIO. 2, incorporating the present invention. In that case, the menu items can be changed from the server 
For specific details, reference is made to the publicly avail- 30 only session-by-sessioo, and remain the same for all invo- 
able ShowCase Vista query application ("Showcase" and cations of an application. It is also possible, however, to 
* Vista- are trademarks of ShowCtse Corporation). In an download profiles at other times, so as to allow menu Items 
interactive application, normally the first operation after to change on a dynamic basis, whenever a system admin- 
invocation is the display of a menu allowing the user to istrator modifies a profile, or by some other factor, such as 
choose among several major tasks, such as query input 520, 35 time of day, so that each execution of an application could 
data display S30, etc. The Vista application 500 has a set 510 present different sets of choices. Moreover, it is possible to 
of identified menu objects associated with iL Such objects run routine 600 during execution of the application program, 
can be created with conventional progran>development so that menu choices could vary even during a single 
tools. They conventionally include dialog panels, radio execution of an application. 

buttons, selection boxes, drop-down lists, and other con- 40 Having described a preferred embodiment and a few of 

structs. An application might display multiple constructs at the many variations and alternatives within the scope and 

the same time at different positions on the user *s screen. That spirit of the present invention which may occur to those 

is, several types of choices might be available simulta- skilled in the art, we rfaim- 

neously. ^ j t A method of managing a 6ct of shared system resources 

During an execution of program 500, a block such as 521 in a computer network having at least one server coupled to 

presents a query screen, block 522 receives a user's request, a plurality of clients each containing a plurality of applica- 

which is then checked at block 523. Block 524 then selects tion programs executable by a plurality of users at said 

menu 515 for the user to choose a processing mode: clients, said programs having interfaces for allowing said 

interactive, batch, etc. When the choice has been entered, w users to choose dynamically among said shared system 

block 525 sends the query and die mode choice to the resources, said method comprising: 

database server module 220, FIG. 2, via client and server generating in said server a plurality of profiles specifying 

modules 270 and 240. Module 220 then processes the query the allowability of individual ones of said shared sys- 

and returns data to the database client module 290 at block tern resources within particular ones of said application 

526. This block may present a message or other indication JS programs for certain ones of said users; 

to the user that the daU has arrived, or may merely display ioentifying one of said users at one of said client com- 



the data. 



puters; 



When task 520 has completed, application 500 returns to in response to said Identification, selecting certain infor- 

block 501, which then allows the u»cr to choose any of die mation from said profiles corresponding to said indi- 

tasks 520-550. The other tasks 530-550 operate in an ^ vidua! shared system resources for said particular appli- 

overall similar manner. Line 551 shows the end of execution cation programs for said one identified user; 

of application 500. detecting at said one client computer a request for a 

FIG. 6 Is a flowchart of a routine 600 for modifying the particular one of said application programs by said one 

interface of an application program 500 as required by block user; 

312. FIG. 3. The individual menu objects 511-519 In FIO. 65 dynamically modifying at least one of said user interfaces 

5 Initially include all choices available to any user at any for said particular one application program in response 

time during execution. The purpose of routine 600 is to to said certain profile information corresponding to said 
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identified one user for said particular one application 
program so as to make available to said one user only 
those of said shared system resources specified by said 
profile information for said particular one application 
program for said identified one user. 

2. A resource manager for a client/server network of 
computers coupled together by a communications means, 
said network executing a plurality of application programs 
having a server portion located in a server computer la said 
network and having a client portion located in one or more 
client computers in said network and invoked by one of a 
number of users, said network further including a plurality 
of different system resources potentially usable by said 
application programs and physically shared among said 
application programs, each said application-program client 
portion having a user interface from which said one user can 
select different ones of said system resources during an 
execution of said client portion, said resource manager 
comprising: 

a set of profiles, each profile specifying said one user and 
a number of said application programs, and specifying, 
for individual ones of said number of application 
programs, a number of particular ones of said shared 
system resources, and specifying, for each of said 
particular resources, a number of rights of said one user 
to each of said particular resources for each of said 
individual application programs; 

means for detecting the identity of said one user at any 
one of said one or more client computers, and for 
selecting that profile corresponding to said one user, 

means for selecting individual portions of said selected 
profile corresponding to said individual application 
program; 

means for modifying said user interface for said indi- 
vidual application program in response to said indi- 
vidual portions of said selected profile so as to allow 
said user at said client computer to choose only those 
of said shared system resources specified by said indi- 
vidual portions. 

3. An individual interactive application program execut- 
able by a number of users in a client/server computer 
network having a number of physically shared resources, 
said network containing a stored profile specifying a par- 
ticular one of said users, a number of application programs 
including said individual application program, and 
specifying, for each of said application programs, a number 
of selectable ones of said shared system resources, and 
specifying, for each of said selectable resources for each of 
said application programs, a number of rights of said par* 
Ucular one user to each of said certain resources, said 
individual one application program comprising: 

means for selecting from said stored profile certain infor- 
mation peculiar to said individual application program 
for said particular one user; 

means for selecting among a plurality of functions in 
response to inputs from said one user, 

means responsive to said selecting means for performing 
said functions; 

a number of user-interface means within said function- 
performing means, each of said user-interface means 
presenting to said one user choices among one of said 
shared system resources; 
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interface modifying means coupled to a plurality of said 
user-interface means for modifying said choices of 
respective ones of said shared system resources in 
response to said rights of said particular one user with 
5 respect to said individual application program as speci- 
fied in said profile information. 

4. The method of claim 1, wherein the step of generating, 
comprises the steps of: 

for each user, identifying one or more of said application 
to programs which the user is authorized to execute; and 
for each authorized application program, identifying 

which shared system resources the user is permitted to 

access. 

5. A method of managing a set of shared system resources 
13 in a computer network having at least one server coupled to 

one or more clients, the one or more clients for use by one 
or more users, the one or more clients capable of executing 
a plurality of applications, comprising the steps of: 
generating a plurality of profiles tn a server, the plurality 
20 of profiles specifying which shared system resources 
are available to a particular user for a particular appli- 
cation; 

identifying a user signing onto the computer network 
25 using a client; 

associating a profile of the plurality of profiles with the 
user; 

downloading profile information from the server to the 
client based on the profile; 
30 detecting a request for execution of an application by the 
user; 

identifying available shared system resources based on 
the user and the application using the profile informa- 
tion; and 

35 dynamically modifying a user interface to reflect the 
available shared system resources, to control access of 
the user to the set of shared system resources. 

6. The method of claim 5 , wherein the step of dynamically 
modifying comprises the step of editing an external initial- 

40 ization file associated with the application according to the 
profile information, to control system resource options pre- 
sented to the user by the application. 

7. The method of claim 5, wherein the step of dynamically 
modifying comprises the step of controlling system resource 

45 options presented to the user by the application using a 
formal application program interface. 

8. The method of claim S. wherein the step of generating 
a plurality of profiles comprises the step of: 

constructing a profile for each user, the profile including 
50 definitions of which applications the user is authorized, 
and for each authorized application, a definition of 
which shared system resources the user is permitted to 
access. 

9. The method of claim 8, wherein the step of detecting a 
35 request for execution of an application by the user, com- 
prises the steps of: 

comparing the application to the definitions in the profile 
for the user to determine if the user is authorized to 
^ execute the application; and 

if the user Is authorized io execute the application, execut- 
ing die application. 

***** 
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